Incident Score: Analysis & Impact (TRETHE1781108679)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Attachment (T1566.001) with high confidence (90%), supported by evidence indicating distributed via email spam and ClickFix lures and Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating clickFix lures. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (80%), supported by evidence indicating malware-as-a-service (MaaS) for $5,000 per month and Command and Scripting Interpreter: PowerShell (T1059.001) with moderate confidence (50%), supported by evidence indicating hVNC, TightVNC for remote control. Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (80%), supported by evidence indicating persistence through registry keys or scheduled tasks and Scheduled Task/Job: Scheduled Task (T1053.005) with moderate to high confidence (80%), supported by evidence indicating persistence through registry keys or scheduled tasks. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with high confidence (90%), supported by evidence indicating uAC bypass previously used by LockBit and BlackMatter and Event Triggered Execution: Component Object Model Hijacking (T1546.015) with moderate to high confidence (80%), supported by evidence indicating cOM-elevation technique to bypass Chromes App-Bound Encryption. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating disguising itself as HijackLoader, a known packer and Hide Artifacts: Hidden Window (T1564.003) with high confidence (90%), supported by evidence indicating hVNC such as control without visible windows or cursor movement. Under the Credential Access tactic, the analysis identified Steal Web Session Cookie (T1539) with high confidence (95%), supported by evidence indicating hijacking active user sessions to drain cryptocurrency, Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (90%), supported by evidence indicating harvested from the victim’s browser to crack wallet passwords, and Input Capture: Keylogging (T1056.001) with moderate to high confidence (80%), supported by evidence indicating keystroke logging and clipboard monitoring. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating scans for wallets upon infection and Process Discovery (T1057) with moderate confidence (60%), supported by evidence indicating hVNC for remote control of infected machines. Under the Collection tactic, the analysis identified Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating scans for wallets upon infection, Clipboard Data (T1115) with high confidence (90%), supported by evidence indicating clipboard clipper to swap wallet addresses mid-transaction, and Data from Information Repositories: Code Repositories (T1213.001) with moderate confidence (50%), supported by evidence indicating plans to inject code into Electron-based wallet apps. Under the Command and Control tactic, the analysis identified Remote Access Software (T1219) with high confidence (90%), supported by evidence indicating remote desktop access via TightVNC and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (70%), supported by evidence indicating hVNC for stealthy remote control. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating cloned browser profiles, wallet data exfiltrated and Automated Exfiltration (T1020) with moderate to high confidence (80%), supported by evidence indicating browser-profile cloning to attacker’s system. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with high confidence (90%), supported by evidence indicating cryptocurrency theft via session hijacking and Account Access Removal (T1531) with moderate to high confidence (70%), supported by evidence indicating session hijacking to bypass MFA. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.